Medical Records & Privacy

Medical Records

Privacy and Security of Personal Health Information

This practice is bound by the Federal Privacy Act 1998 and National Privacy Principles.

‘Personal health information’ is a particular subset of personal information and can include any information collected to provide a health service.

This information includes medical details, family information, name, address, employment and other demographic data, past medical and social history, current health issues and future medical care, Medicare number, accounts details and any health information such as a medical or personal opinion about a person’s health, disability or health status.

It includes the formal medical record whether written or electronic and information held or recorded on any other medium e.g. letter, fax, or electronically or information conveyed verbally.

Our practice has designated the Practice Manager with primary responsibility for the practice’s electronic systems, computer security and adherence to protocols as outlined in our Computer Information Security policy.

Our Security policies and procedures regarding the confidentiality of patient health records and information are documented and our practice team are informed about these at induction and when updates or changes occur.

The practice team can describe how we correctly identify our patients using 3 patient identifiers, name, and date of birth, address or gender to ascertain we have the correct patient record before entering or actioning anything from that record.

For each patient we have an individual patient health record containing all clinical information held by our practice relating to that patient. The Practice ensures the protection of all information contained therein. Our patient health records can be accessed by an appropriate team member when required. We also ensure information held about the patient in different records (e.g. at a residential aged care facility) is available when required.

Computer Information Security

Our practice has systems in place to protect the privacy, security, quality and integrity of the data held electronically.  Doctors and staff are trained in computer use and our security policies and procedures and updated when changes occur.

Our Practice Manager has designated responsibility for overseeing the maintenance of our computer security and our electronic systems.

All clinical staff have access to a computer to document clinical care. For medico legal reasons, and to provide evidence of items billed in the event of a Medicare audit, staff, especially nurses always log in under their own passwords to document care activities they have undertaken.

Our practice ensures that our practice computers and servers comply with the RACGP computer security checklist and that:

  • computers are only accessible via individual password access to those in the practice team who have appropriate levels of authorisation.
  • computers have screensavers or other automated privacy protection devices are enabled to prevent unauthorised access to computers.
  • servers are backed up and checked at frequent intervals, consistent with a documented business continuity plan.
  • back up information is stored in a secure off site environment.
  • computers are protected by antivirus software that is installed and updated regularly
  • computers connected to the internet are protected by appropriate hardware/software firewalls.
  • we have a business continuity plan that has been developed, tested and documented.

Electronic data transmission of patient health information from our practice is in a secure format.

Our practice has the following information to support the computer security policy:

  • current asset register documenting hardware and software including software licence keys
    • logbooks/print-outs of maintenance, backup including test restoration, faults, virus scans
    • folder with warranties, invoices/receipts, maintenance agreements

This Practice reserves the right to check individual’s Computer System history as a precaution to fraud, workplace harassment or breaches of confidence by employees.  Inappropriate use of the Practices Computer Systems or breaches of Practice Computer Security will be fully investigated and may be grounds for dismissal.

This practice has a sound backup system and a contingency plan to protect practice information in the event of an adverse incident, such as a system crash or power failure. This plan encompasses all critical areas of the practice’s operations such as making appointments, billing patients and collecting patient health information. This plan is tested on a regular basis to ensure backup protocols work properly and that the practice can continue to operate in the event of a computer failure or power outage.

Practice Privacy Policy

National Privacy Principles requires our practice to have a document that clearly sets out its policies on handling personal information, including health information.

This document, commonly called a privacy policy, outlines how we handle personal information collected (including health information) and how we protect the security of this information. It is made available to anyone who asks for it and patients are made aware of this.

This informs patients about how their health information will be used including other organisations to which the practice usually discloses patient health information and any law that requires the particular information to be collected.

In general, quality improvement or clinical audit activities for the purpose of seeking to improve the delivery of a particular treatment or service would be considered a directly related secondary purpose for information use or disclosure so we do not need to seek specific consent for this use of patients’ health information, however we include information about quality improvement activities and clinical audits in the practice policy on managing health information.

Third Party Requests for Access to Medical Records/Health Information

Requests for third party access to the medical record should be initiated by either receipt of correspondence from a solicitor or government agency or by the patient completing a Patient Request for Personal Health Information Form. Where a patient request form or and signed authorisation is not obtained the practice is not legally obliged to release any information.

Where requests for access are refused the patient the third party may seek access under relevant privacy laws.

An organisation ‘holds’ health information if it is in their possession or control.  If we receive reports or other health information from another organisation such as a medical specialist, we provide access in the same manner as for the records we create.  If the specialist has written ‘not to be disclosed to a third party’ or ‘confidential’ on their report, this has no legal effect in relation to requests for access under the Health Records Act 2001.  We also provide access to records which have been transferred from another health service provider.

Requests for access to the medical record and associated financial details may be received from various third parties including:

  1. Subpoena/court order/coroner/search warrant
  2. Relatives/Friends/carers
  3. External doctors & Health Care Institutions
  4. Police /Solicitors
  5. Health Insurance companies/Workers Compensation/Social Welfare agencies
  6. Employers
  7. Government Agencies
  8. Accounts/Debt Collection
  9. Students (Medical& Nursing)
  10. Research /Quality Assurance Programs
  11. Media
  12. International
  13. Disease registers
  14. Telephone Calls

We only transfer or release patient information to a third party once the consent to share information has been signed and in specific cases informed patient consent has may be sought. Where possible de identified information is sent.

Request for Access to Personal Health Information

Patients at this practice have the right to access their personal health information (medical record) under the Commonwealth Privacy Amendment (Private Sector) Act 2000 and the Health Records Act 2001. The HRA gives individuals a right of access to their personal health information held by any organisation in the private sector in accordance with Health Privacy Principle 6 (HPP 6).  This principle obliges health service providers and other organisations that hold health information about a person to give them access to their health information on request, subject to certain exceptions and the payment of fees (if any).

Public sector organisations continue to be subject to the Freedom of Information Act 1982.

This practice complies with both laws and the National and Health Privacy Principles (NPPs & HPPs) adopted therein.  See summary headings of Principles in this section.   Both Acts give individuals the right to know what information a private sector organisation holds about them, the right to access this information and to also make corrections if they consider data is incorrect.

National Privacy Principles

  • NPP 1:   Collection of personal information by an organisation.
  • NPP 2:   How an organisation may use and disclose personal information in its possession.
  • NPP 3:   Relates to the quality of the data held by an organisation.
  • NPP 4:   Organisation must take reasonable steps to make sure the personal information it holds is secure.
  • NPP 5:   Requires an organisation to be open about what personal information it holds and its policy on the management of personal information.
  • NPP 6:   Relates to access and correction of personal information held by an organisation about an            individual, by that individual.
  • NPP 7:   The use of identifiers assigned by a Commonwealth Agency.
  • NPP 8:   Individuals have the option of not identifying themselves when entering transactions with organisations.
  • NPP 9: Regulates the transfer of personal information held by an organisation in Australia.
  • NPP10: Limits on when an organisation is permitted to collect sensitive information.


Reports by Specialists

This information forms part of the patient’s medical record, hence access is permitted under privacy law.

Diagnostic Results

This information forms part of the patient’s medical record, hence access is permitted under privacy law.

We respect an individual’s privacy and allow access to information via personal viewing in a secure private area. The patient may take notes of the content of their record or may be given a photocopy of the requested information.  A GP may explain the contents of the record to the patient if required.  An administrative charge may be applied, at the GPs discretion and in consultation with the Privacy Officer, e.g. for photocopying record, X-rays and for staff time involved in processing request.


Privacy Officer

This practice has a designated Privacy Officer who implements and monitors adherence to all privacy legislation in this practice.

The Privacy Officer acts as liaison for all privacy issues and patient requests for access to their personal health information.

If staff members have any queries concerning privacy law i.e. Commonwealth Privacy Act – Privacy Amendment (Private Sector) Act 2000  then refer to the Privacy Officer.

The privacy officer is responsible for ensuring compliance with relevant Privacy principles and legislation and for developing and maintaining our written protocols. The privacy officer liaises with the person responsible for Computer security and systems.

RACGP 4th edition Standards 4.2.1.

Privacy Audit

From time to time or in the event of any issues or complaints relating to privacy matters, this practice conducts a review of privacy policies and procedures.

Creating a New Medical Record

Once patient name, address, date of birth and related demographic details are received by reception, enter this information into the patient record.

Retrieving a Medical Record for a Current Patient

Computerised patient records are only accessed by authorised doctors and staff via secure login/password.

Filing Reports (Pathology, X-Ray, Consultant’s etc)

This practice scans all patient paper based correspondence with copies of this data securely stored.

Original copies are retained for 7 days.

If results are received electronically, they are to be checked by the referring doctor or Practice Principal daily, and the appropriate action box marked.

Errors in Medical Record

Corrections in the electronic record should be recorded by referring to the date of the original entry and the associated amendment.

The patient has a right to have their personal health information amended if he/she can establish that it is not accurate, complete, misleading or up to date.

 Allergies & Alerts

Alert notification may be required for allergic responses, drug reactions, and previous aggressive behaviour or guardianship/custody arrangements.

It is practice policy to ensure that all patients have their allergic status recorded especially any allergies to medications to facilitate safer prescribing. In computer based records “no known allergies” is recorded in the absence of any allergies to note.

Back Up of electronic medical records

In order to avoid lengthy down time, disruption, and medico-legal issues frequent backups are essential and form a critical component of the practice disaster recovery plan. A formal policy for the back up of the practice computer systems is in place.

Retention of Records and Archiving

Patient Health Records must be kept until the patient is 25 years of age, if a child, or a minimum of 7 years following the last year of the patients attendance, whichever is greater.

This Practice retains paper medical records for a minimum of 7 years.  Inactive electronic patient records are retained indefinitely or as stipulated by the relevant national, state or territory legislation.

Patient accounts records are also retained for a minimum of 7 years.

Records of Drugs of Addiction stock and administration must be retained for a minimum of 3 years.

Sterilisation Cycle records and evidence of vaccine fridge temperature monitoring are retained as per patient health records.

Where our patients have chronic conditions or genetic diseases, or at the doctors discretion their records are kept permanently.

Records of patients that have been sought for legal purposes are retained permanently.

Records of deceased patients are kept for 7 years following the year of death.

Outdated paper based test results that no longer have clinical relevance are culled to assist with storage.  This is done in consultation with the medical defence organisations and in compliance with state legislation.

Transfer of Medical Records

Transfer of medical records from this Practice can occur in the following instances:

  • for medico-legal reasons e.g. record is subpoenaed to court.
  • when a patient asks for their medical record to be transferred to another Practice, due to moving residence or for other reasons.
  • where an individual medical record report is requested from another source.
  • where the Doctor is retiring and the practice is closing.